openc3 5.11.3
OpenC3 stores passwords in clear text (GHSL-2024-129)
>= 5.19.0
Summary
OpenC3 COSMOS stores the password of a user unencrypted in the LocalStorage of a web browser. This makes the user password susceptible to exfiltration via Cross-site scripting (see GHSL-2024-128).
Note: This CVE only affects Open Source edition, and not OpenC3 COSMOS Enterprise Edition
Impact
This issue may lead to Information Disclosure.
NOTE: The complete advisory with much more information is added as comment.
OpenC3 Path Traversal via screen controller (GHSL-2024-127)
>= 5.19.0
Summary
A path traversal vulnerability inside of LocalMode's
open_local_file method allows an authenticated user with
adequate permissions to download any .txt via the
ScreensController#show on the web server COSMOS is running
on (depending on the file permissions).
Note: This CVE affects all OpenC3 COSMOS Editions
Impact
This issue may lead to Information Disclosure.
NOTE: The complete advisory with much more information is added as comment.
OpenC3 Cross-site Scripting in Login functionality (GHSL-2024-128)
>= 5.19.0
Summary
The login functionality contains a reflected cross-site scripting (XSS) vulnerability.
Note: This CVE only affects Open Source Edition, and not OpenC3 COSMOS Enterprise Edition
Impact
This issue may lead up to Remote Code Execution (RCE).
NOTE: The complete advisory with much more information is added as comment.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.